From 9401f816dd0d9d550fe98a8507224bde51c4b847 Mon Sep 17 00:00:00 2001 From: hongbotian Date: Mon, 30 Nov 2015 02:41:33 -0500 Subject: upload tomcat JIRA: BOTTLENECK-7 Change-Id: I875d474869efd76ca203c30b60ebc0c3ee606d0e Signed-off-by: hongbotian --- .../docs/reference/apache.html | 1011 ++++++++++++++++++++ 1 file changed, 1011 insertions(+) create mode 100644 rubbos/app/tomcat-connectors-1.2.32-src/docs/reference/apache.html (limited to 'rubbos/app/tomcat-connectors-1.2.32-src/docs/reference/apache.html') diff --git a/rubbos/app/tomcat-connectors-1.2.32-src/docs/reference/apache.html b/rubbos/app/tomcat-connectors-1.2.32-src/docs/reference/apache.html new file mode 100644 index 00000000..9e7a7aa5 --- /dev/null +++ b/rubbos/app/tomcat-connectors-1.2.32-src/docs/reference/apache.html @@ -0,0 +1,1011 @@ +The Apache Tomcat Connector - Reference Guide - Configuring Apache
Apache TomcatApache Logo

Links

Reference Guide

Generic HowTo

Webserver HowTo

AJP Protocol Reference

Miscellaneous Documentation

News

The Apache Tomcat Connector - Reference Guide

Configuring Apache

Printer Friendly Version
print-friendly
version +
Configuration Directives
+

+Most of the directives are allowed once in the global part of the Apache httpd +configuration and once in every <VirtualHost> elements. Exceptions from this rule are +explicitly listed in the table below. +

+

+Most values are inherited from the main server to the virtual hosts. +Since version 1.2.20 they can be overwritten in the virtual hosts. +Exceptions from this rule are again explicitly listed in the table below. +See especially JkMountCopy. +

+

+Warning: If Apache httpd and Tomcat are configured to serve content from +the same filing system location then care must be taken to ensure that httpd is +not able to serve inappropriate content such as the contents of the WEB-INF +directory or JSP source code. +

+

+This could occur if the httpd DocumentRoot +overlaps with a Tomcat Host's appBase or the docBase of any Context. It could +also occur when using the httpd Alias directive with a Tomcat Host's appBase or +the docBase of any Context. +

+

+Here are the all directives supported by Apache: +

+
DirectiveDescription
JkWorkersFile

+The name of a worker file for the Tomcat servlet containers. +
+This directive is only allowed once. It must be put into +the global part of the configuration. +
+If you don't use the JkWorkerProperty directives, then you must +define your workers with a valid JkWorkersFile. There is no default +value. +

JkWorkerProperty

+Enables setting worker properties inside Apache configuration file. +The syntax is the same as in the JkWorkersFile (usually workers.properties). +Simply prefix each line with "JkWorkerProperty" to put it directly into +the Apache httpd config files. +
+This directive is allowed multiple times. +It must be put into the global part of the configuration. +
+If you don't use the JkWorkerProperty directives, then you must +define your workers with a valid JkWorkersFile. There is no default +value. +
+This directive is available in jk1.2.7 version and later. +

JkShmFile

+Shared memory file name. Used only on unix platforms. +The shm file is used by balancer and status workers. +
+This directive is only allowed once. It must be put into +the global part of the configuration. +
+The default value is logs/jk-runtime-status. +It is highly recommended that the shm file be placed on a local +drive and not an NFS share. +

+

+The shared memory contains configuration and runtime information for load balancer +workers and their members. It is need in order that all apache children +

    +
  • share the same status information for load balancing members (OK, ERROR, ...),
    • +
  • share the information about load taken by the individual workers,
    • +
  • share the information for the parts of the configuration, which are changeable +during runtime by status workers.
    • +
+

+
JkShmSize

+Size of the shared memory file name. +
+This directive is only allowed once. It must be put into +the global part of the configuration. +
+The default value depends on the platform. It is usually less than 64KB. +

JkMountFile

+File containing multiple mappings from a context to a Tomcat worker. +It is usually called uriworkermap.properties. +
+For inheritance rules, see: JkMountCopy. +
+There is no default value. +

JkMountFileReload

+This directive configures the reload check interval in seconds. +The JkMountFile is checked periodically for changes. +A changed file gets reloaded automatically. If you set +this directive to "0", reload checking is turned off. +
+The default value is 60 seconds. +
+This directive has been added in version 1.2.20 of mod_jk. +

JkMount

+A mount point from a context to a Tomcat worker. +
+This directive is allowed multiple times. +It is allowed in the global configuration and in VirtualHost. +You can also use it inside Location with a different syntax. +Inside Location, one omits the first argument (path), +which gets inherited from the Location. +
+By default JkMount entries are not inherited from the global +server to other VirtualHosts or between VirtualHosts. +For the complete inheritance rules, see: JkMountCopy. +

JkUnMount

+An exclusion mount point from a context to a Tomcat worker. +All exclusion mounts are checked after mapping a request +to a tomcat worker. If the request maps also to an exclusion, +it will not be forwarded to tomcat, and instead be served locally. +
+This directive is allowed multiple times. +It is allowed in the global configuration and in VirtualHost. +You can also use it inside Location with a different syntax. +Inside Location, one omits the first argument (path), +which gets inherited from the Location. +For inheritance rules, see: JkMountCopy. +
+This directive is available in jk1.2.7 version and later. +

JkAutoAlias

+Automatically Alias webapp context directories into the Apache +document space. +
+Care should be taken to ensure that only static content is served via httpd as a +result of using this directive. Any static content served by httpd will bypass any +security constraints defined in the application's web.xml. +
+For inheritance rules, see: JkMountCopy. +
+There is no default value. +

JkMountCopy

+If this directive is set to "On" in some virtual server, +the mounts from the global server will be copied to this +virtual server, more precisely all mounts defined by JkMount +or JkUnMount. The Mounts defined by JkMountFile and JkAutoAlias +will only be inherited, if the VirtualHost does not define +it's own JkMountFile or JkAutoAlias. +
+If you want all vhost to inherit mounts from the main server, +you can set JkMountCopy to 'All' in the main server. +
+This directive is only allowed inside VirtualHost (with value "On") +and in the global server (with value "All"). +
+The default is Off, so no mounts will be inherited from the global +server to any VirtualHost. +
+Starting with version 1.2.26 you can also set it to "All" in the +global virtual server. This will switch the default to On. +

JkWorkerIndicator

+Name of the Apache environment variable that can be used to set worker names +in combination with SetHandler jakarta-servlet. +
+This directive is only allowed once per virtual server. +It is allowed in the global configuration and in VirtualHost. +
+The default value is JK_WORKER_NAME. +

JkWatchdogInterval

+This directive configures the watchdog thread interval in seconds. +The workers are maintained periodically by a background thread +running periodically every watchdog_interval seconds. Worker maintenance +checks for idle connections, corrects load status and is able +to detect backend health status. +
+The maintenance only happens, if since the last maintenance at +least worker.maintain +seconds have passed. So setting the JkWatchdogInterval +much smaller than worker.maintain is not useful. +
+The default value is 0 seconds, meaning the watchdog thread +will not be created, and the maintenance is done in combination +with normal requests instead. +
+This directive is only allowed once. It must be put into +the global part of the configuration. +
+This directive has been added in version 1.2.27 of mod_jk. +It is available only for httpd 2.x and above using APR libraries +including thread support. +

JkLogFile

+Full or server relative path to the Tomcat Connector module log file. +It will also work with pipe, by using a value of the form "| ...". +
+The default value is logs/mod_jk.log. +
+Pipes are supported for Apache 1.3 only since version 1.2.16. +The default value exists only since version 1.2.20. +

JkLogLevel

+The Tomcat Connector module log level, can be debug, info, warn +error or trace. +
+The default value is info. +

JkLogStampFormat

+The Tomcat Connector module date log format, using an +extended strftime syntax. +This format will be used for the time stamps in the JkLogFile. +The maximum length of the format is 63 characters. +
+Starting with version 1.2.24 of mod_jk you can also use %Q +for adding milliseconds to the log and %q for microseconds. +These conversion specifiers are an extension to strftime. +They will only work on platforms with a gettimeofday() function. +You can use %Q and %q only once in the pattern and also not both +together in the same pattern. +
+The default value is "[%a %b %d %H:%M:%S %Y] " and beginning +with version 1.2.24 on platforms with a gettimeofday() +function it is "[%a %b %d %H:%M:%S.%Q %Y] ". +

JkRequestLogFormat

+Request log format string. See detailed description below. +
+There is no default value. Without defining a value, the request logging +is turned off. +

JkExtractSSL

+Turns on SSL processing and information gathering by mod_jk +
+The default value is On. +
+In order to make SSL data available for mod_jk in Apache, you need to +set SSLOptions +StdEnvVars. For the certificate information you also need +to add SSLOptions +ExportCertData. +

+

+ Specifically, mod_jk will export the following environment variables from + Apache httpd to Tomcat under these request attributes as per the + Servlet Specification 3.0, section 3.8: +

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
Env VarRequest Attribute NameTypeExample
SSL_CIPHER
(or JkKEYSIZEIndicator)		javax.servlet.request.cipher_suitejava.lang.StringDHE-RSA-AES256-SHA
SSL_CIPHER_USEKEYSIZE
(or JkKEYSIZEIndicator)		javax.servlet.request.key_sizejava.lang.Integer256
SSL_SESSION_ID
(or JkSESSIONIndicator)		javax.servlet.request.ssl_sessionjava.lang.String905...32E (a hex string)
SSL_CLIENT_CERT_CHAIN_n
(or JkCERTCHAINPrefixn)		javax.servlet.request.X509Certificatejava.security.X509Certificate[](A chain of certs in ascending order of trust, the first one being + ths client's certificate, the second being the signer of that + certificate, and so on)
+

+ For all other SSL-related variables, use JkEnvVar for each + variable you want. Please note that, like JkEnvVar, these + variables are available from the request attributes, not as + environment variables or as request headers. +

+
JkHTTPSIndicator

+Name of the Apache environment variable that contains SSL indication. +
+The default value is "HTTPS". +

JkCERTSIndicator

+Name of the Apache environment variable that contains SSL client certificates. +
+The default value is "SSL_CLIENT_CERT". +

JkCIPHERIndicator

+Name of the Apache environment variable that contains SSL client cipher. +
+The default value is "SSL_CIPHER". +

JkCERTCHAINPrefix

+Name of the Apache environment (prefix) that contains SSL client chain certificates. +
+The default value is "SSL_CLIENT_CERT_CHAIN_". +

JkSESSIONIndicator

+Name of the Apache environment variable that contains SSL session. +
+The default value is "SSL_SESSION_ID". +

JkKEYSIZEIndicator

+Name of the Apache environment variable that contains SSL key size in use. +
+The default value is "SSL_CIPHER_USEKEYSIZE". +

JkLocalNameIndicator

+Name of the Apache environment variable which can be used to overwrite +the forwarded local name. +Use this only if you need to adjust the data (see the +proxy documentation). +
+The default value is "JK_LOCAL_NAME". +
+This directive has been added in version 1.2.28 of mod_jk. +

JkLocalPortIndicator

+Name of the Apache environment variable which can be used to overwrite +the forwarded local port. +Use this only if you need to adjust the data (see the +proxy documentation). +
+The default value is "JK_LOCAL_PORT". +
+This directive has been added in version 1.2.28 of mod_jk. +

JkRemoteHostIndicator

+Name of the Apache environment variable which can be used to overwrite +the forwarded remote (client) host name. +Use this only if you need to adjust the data (see the +proxy documentation). +
+The default value is "JK_REMOTE_HOST". +
+This directive has been added in version 1.2.28 of mod_jk. +

JkRemoteAddrIndicator

+Name of the Apache environment variable which can be used to overwrite +the forwarded remote (client) IP address. +Use this only if you need to adjust the data (see the +proxy documentation). +
+The default value is "JK_REMOTE_ADDR". +
+This directive has been added in version 1.2.28 of mod_jk. +

JkRemotePortIndicator

+Name of the Apache environment variable which can be used to overwrite +the forwarded remote (client) IP address. +Use this only if you need to adjust the data (see the +proxy documentation). +
+The default value is "JK_REMOTE_PORT". +
+This directive has been added in version 1.2.32 of mod_jk. +

JkRemoteUserIndicator

+Name of the Apache environment variable which can be used to overwrite +the forwarded user name. +Use this only if you need to adjust the data (see the +proxy documentation). +
+The default value is "JK_REMOTE_USER". +
+This directive has been added in version 1.2.28 of mod_jk. +

JkAuthTypeIndicator

+Name of the Apache environment variable which can be used to overwrite +the forwarded authentication type. +Use this only if you need to adjust the data (see the +proxy documentation). +
+The default value is "JK_AUTH_TYPE". +
+This directive has been added in version 1.2.28 of mod_jk. +

JkOptions

+Set one of more options to configure the mod_jk module. See below for +details about this directive. +
+This directive can be used multiple times per virtual server. +
+The default value is "ForwardURIProxy" since version 1.2.24. +It was "ForwardURICompatUnparsed" in version 1.2.23 and +"ForwardURICompat" until version 1.2.22. +

JkEnvVar

+Adds a name and an optional default value of environment variable +that should be sent to servlet-engine as a request attribute. +If the default value is not given explicitly, the variable +will only be send, if it is set during runtime. +
+The default is empty, so no additional variables will be sent. +
+This directive can be used multiple times per virtual server. +The settings will be merged between the global server and any +virtual server. +
+You can retrieve the variables on Tomcat as request attributes +via request.getAttribute(attributeName). Note that the variables +send via JkEnvVar will not be listed in request.getAttributeNames(). +
+Empty default values are supported since version 1.2.20. +Not sending variables with empty defaults and empty runtime value +has been introduced in version 1.2.21. +

JkStripSession

+If this directive is set to On in some virtual server, +the session IDs ;jsessionid=... will be +removed for non matched URLs. +
+This directive is only allowed inside VirtualHost. +
+The default is Off. +
+This directive has been introduced in version 1.2.21. +
With version 1.2.27 and later this directive can have optional +session ID identifier. If not specified it defaults to +;jsessionid. +

+
+
Configuration Directives Types
+

+We'll discuss here the mod_jk directive types. +

+ +
Define workers
+

+JkWorkersFile specify the location where mod_jk will find the workers definitions. +Take a look at Workers documentation for detailed description. + +

+  JkWorkersFile     /etc/httpd/conf/workers.properties
+
+ +
+
+

+ +
+ +
Logging
+

+JkLogFile specify the location where mod_jk is going to place its log file. +

+ +
+  JkLogFile     /var/log/httpd/mod_jk.log
+
+ +

+Since JK 1.2.3 for Apache 2.x and JK 1.2.16 for Apache 1.3 this can also +be used for piped logging: +

+ +
+  JkLogFile     "|/usr/bin/rotatelogs /var/log/httpd/mod_jk.log 86400"
+
+ +

+JkLogLevel +set the log level between : +

+ +
    +
  • +info log will contain standard mod_jk activity (default). +
    • +
  • +warn log will contain non fatal error reports. +
    • +
  • +error log will contain also error reports. +
    • +
  • +debug log will contain all information on mod_jk activity +
    • +
  • +trace log will contain all tracing information on mod_jk activity +
    • +
+ +
  
+  JkLogLevel    info
+
+ +

+info should be your default selection for normal operations. +
+
+

+ +

+JkLogStampFormat will configure the date/time format found on mod_jk log file. +Using the strftime() format string it's set by
+default to "[%a %b %d %H:%M:%S %Y]" +

+ +
+  JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
+
+ +

+
+
+

+ +

+JkRequestLogFormat will configure the format of mod_jk individual request logging. +Request logging is configured and enabled on a per virtual host basis. +To enable request logging for a virtual host just add a JkRequestLogFormat config. +The syntax of the format string is similar to the Apache LogFormat command, +here is a list of the available request log format options: +

+ +

+
OptionsDescription
%bBytes sent, excluding HTTP headers (CLF format)
%BBytes sent, excluding HTTP headers
%HThe request protocol
%mThe request method
%pThe canonical Port of the server serving the request
%qThe query string (prepended with a ? if a query string exists, otherwise an empty string)
%rFirst line of request
%sRequest HTTP status code
%TRequest duration, elapsed time to handle request in seconds '.' micro seconds
%UThe URL path requested, not including any query string.
%vThe canonical ServerName of the server serving the request
%VThe server name according to the UseCanonicalName setting
%wTomcat worker name
%RReal worker name
+ +

+  JkRequestLogFormat     "%w %V %T"
+
+ +
+
+

+ +

+You can also log mod_jk information using the Apache standard module mod_log_config. +The module sets several notes in the Apache httpd notes table. +Most of them are are only useful in combination with a load balancer worker. +

+ +

+
NoteDescription
JK_WORKER_NAMEName of the worker selected by the URI mapping
JK_WORKER_TYPEType of the worker selected by the URI mapping
JK_WORKER_ROUTEActual worker name selected by the URI mapping (usually a member of the load balancer).
+ Before version 1.2.26 only available if JkRequestLogFormat is set.
JK_REQUEST_DURATIONRequest duration in seconds and microseconds.
+ Before version 1.2.26 only available if JkRequestLogFormat is set.
JK_LB_FIRST_NAMELoad-Balancer: Name of the first worker tried
JK_LB_FIRST_TYPELoad-Balancer: Type of the first worker tried
JK_LB_FIRST_ACCESSEDLoad-Balancer: Access count for the first worker tried
JK_LB_FIRST_READLoad-Balancer: Bytes read for the first worker tried
JK_LB_FIRST_TRANSFERREDLoad-Balancer: Bytes transferred for the first worker tried
JK_LB_FIRST_ERRORSLoad-Balancer: Error count for the first worker tried
JK_LB_FIRST_BUSYLoad-Balancer: Busy count for the first worker tried
JK_LB_FIRST_ACTIVATIONLoad-Balancer: Activation state for the first worker tried
JK_LB_FIRST_STATELoad-Balancer: Error state for the first worker tried
JK_LB_LAST_NAMELoad-Balancer: Name of the last worker tried
JK_LB_LAST_TYPELoad-Balancer: Type of the last worker tried
JK_LB_LAST_ACCESSEDLoad-Balancer: Access count for the last worker tried
JK_LB_LAST_READLoad-Balancer: Bytes read for the last worker tried
JK_LB_LAST_TRANSFERREDLoad-Balancer: Bytes transferred for the last worker tried
JK_LB_LAST_ERRORSLoad-Balancer: Error count for the last worker tried
JK_LB_LAST_BUSYLoad-Balancer: Busy count for the last worker tried
JK_LB_LAST_ACTIVATIONLoad-Balancer: Activation state for the last worker tried
JK_LB_LAST_STATELoad-Balancer: Error state for the last worker tried
+ +

+  LogFormat     "%h %l %u %t \"%r\" %>s %b %{JK_WORKER_NAME}n %{JK_LB_FIRST_NAME}n \
+                 %{JK_LB_FIRST_BUSY}n %{JK_LB_LAST_NAME}n %{JK_LB_LAST_BUSY}n" mod_jk_log
+  CustomLog     logs/access_log     mod_jk_log
+
+ +
+
+

+ +
+ +
Forwarding
+

+The directive JkOptions allow you to set many forwarding options which will enable (+) +or disable (-) following option. Without any leading signs, options will be enabled. +
+
+

+ +

+The four following options +ForwardURIxxx are mutually exclusive. +Exactly one of them is required, a negative sign prefix is not allowed with them. +The default value is "ForwardURIProxy" since version 1.2.24. +It was "ForwardURICompatUnparsed" in version 1.2.23 and +"ForwardURICompat" until version 1.2.22. +You can turn the default off by switching on one of the other two options. +You should leave this at it's default value, unless you have a very good +reason to change it. +
+
+

+ +

+All options are inherited from the global server to virtual hosts. +Options that support enabling (plus options) and disabling (minus options), +are inherited in the following way: +
+
+options(vhost) = plus_options(global) - minus_options(global) + plus_options(vhost) - minus_options(vhost) +
+
+

+ +

+Using JkOptions ForwardURIProxy, the forwarded URI +will be partially reencoded after processing inside Apache httpd and +before forwarding to Tomcat. This will be compatible with local +URL manipulation by mod_rewrite and with URL encoded session ids. + +

+  JkOptions     +ForwardURIProxy
+
+ +
+
+

+ +

+Using JkOptions ForwardURICompatUnparsed, the forwarded URI +will be unparsed. It's spec compliant and secure. +It will always forward the original request URI, so rewriting +URIs with mod_rewrite and then forwarding the rewritten URI +will not work. + +

+  JkOptions     +ForwardURICompatUnparsed
+
+ +
+
+

+ +

+Using JkOptions ForwardURICompat, the forwarded URI will +be decoded by Apache httpd. Encoded characters will be decoded and +explicit path components like ".." will already be resolved. +This is less spec compliant and is not safe if you are using +prefix JkMount. This option will allow to rewrite URIs with +mod_rewrite before forwarding. + +

+  JkOptions     +ForwardURICompat
+
+ +
+
+

+ +

+Using JkOptions ForwardURIEscaped, the forwarded URI will +be the encoded form of the URI used by ForwardURICompat. +Explicit path components like ".." will already be resolved. +This will not work in combination with URL encoded session IDs, +but it will allow to rewrite URIs with mod_rewrite before forwarding. + +

+  JkOptions     +ForwardURIEscaped
+
+ +
+
+

+ +

+JkOptions RejectUnsafeURI will block all +URLs, which contain percent signs '%' or backslashes '\' +after decoding. +
+
+

+

+Most web apps do not use such URLs. Using the option RejectUnsafeURI, you +can block several well known URL encoding attacks. By default, this option +is not set. +

+

+You can also realise such a check with mod_rewrite, which is more powerful +but also slightly more complicated. + +

  
+  JkOptions     +RejectUnsafeURI
+
+ +
+
+

+ +

+JkOptions ForwardDirectories is used in conjunction with DirectoryIndex +directive of Apache web server. As such mod_dir should be available to Apache, +statically or dynamically (DSO) +
+
+

+ +

+When DirectoryIndex is configured, Apache will create sub-requests for +each of the local-url's specified in the directive, to determine if there is a +local file that matches (this is done by stat-ing the file). +

+ +

+If ForwardDirectories is set to false (default) and Apache doesn't find any +files that match, Apache will serve the content of the directory (if directive +Options specifies Indexes for that directory) or a 403 Forbidden response (if +directive Options doesn't specify Indexes for that directory). +

+ +

+If ForwardDirectories is set to true and Apache doesn't find any files that +match, the request will be forwarded to Tomcat for resolution. This is used in +cases when Apache cannot see the index files on the file system for various +reasons: Tomcat is running on a different machine, the JSP file has been +precompiled etc. +

+ +

Note that locally visible files will take precedence over the +ones visible only to Tomcat (i.e. if Apache can see the file, that's the one +that's going to get served). This is important if there is more then one type of +file that Tomcat normally serves - for instance Velocity pages and JSP pages. + +

  
+  JkOptions     +ForwardDirectories
+
+
+
+

+ +

+JkOptions ForwardLocalAddress, you ask mod_jk to send the local address, +of the Apache web server instead remote client address. This can be used by +Tomcat remote address valve for allowing connections only from registered Apache +web servers. + +

  
+  JkOptions     +ForwardLocalAddress
+
+ +
+
+

+ +

+JkOptions FlushPackets, you ask mod_jk to flush Apache's connection +buffer after each AJP packet chunk received from Tomcat. This option can have +a strong performance penalty for Apache and Tomcat as writes are performed +more often than would normally be required (ie: at the end of each +response). + +

  
+  JkOptions     +FlushPackets
+
+ +
+
+

+ +

+JkOptions FlushHeader, you ask mod_jk to flush Apache's connection +buffer after the response headers have been received from Tomcat. + +

  
+  JkOptions     +FlushHeader
+
+ +
+
+

+ +

+JkOptions DisableReuse, you ask mod_jk to close connections immediately +after their use. Normally mod_jk uses persistent connections and pools idle +connections to reuse them, when new requests have to be sent to Tomcat. +

+ +

+Using this option will have a strong performance penalty for Apache and Tomcat. +Use this only as a last resort in case of unfixable network problems. +If a firewall between Apache and Tomcat silently kills idle connections, +try to use the worker attribute socket_keepalive in combination with an appropriate +TCP keepalive value in your OS. + +

  
+  JkOptions     +DisableReuse
+
+ +
+
+

+ +

+JkOptions ForwardKeySize, you ask mod_jk, when using ajp13, to forward also the SSL Key Size as +required by Servlet API 2.3. +This flag shouldn't be set when servlet engine is Tomcat 3.2.x (on by default). + +

  
+  JkOptions     +ForwardKeySize
+
+ +
+
+

+ +

+JkOptions ForwardSSLCertChain, you ask mod_jk, when using ajp13, +to forward SSL certificate chain (off by default). +Mod_jk only passes the SSL_CLIENT_CERT to the AJP connector. This is not a +problem with self-signed certificates or certificates directly signed by the +root CA certificate. However, there's a large number of certificates signed by +an intermediate CA certificate, where this is a significant problem: A servlet +will not have the possibility to validate the client certificate on its own. The +bug would be fixed by passing on the SSL_CLIENT_CERT_CHAIN to Tomcat via the AJP connector. +
+This directive exists only since version 1.2.22. +

  
+  JkOptions     +ForwardSSLCertChain
+
+ +
+
+

+ +

+The directive JkEnvVar allows you to forward environment variables +from Apache server to Tomcat engine. +You can add a default value as a second parameter to the directive. +If the default value is not given explicitly, the variable +will only be send, if it is set during runtime. +
+The variables can be retrieved on the Tomcat side as request attributes +via request.getAttribute(attributeName). +Note that the variables send via JkEnvVar will not be listed +in request.getAttributeNames(). +
+
+The variables are inherited from the global server to virtual hosts. + +

  
+  JkEnvVar     SSL_CLIENT_V_START     undefined
+
+
+
+

+ +
+ +
Assigning URLs to Tomcat
+

+If you have created a custom or local version of mod_jk.conf-local as noted above, +you can change settings such as the workers or URL prefix. +

+

+JkMount directive assign specific URLs to Tomcat. +In general the structure of a JkMount directive is: +

+ +
  
+  JkMount [URL prefix] [Worker name]
+
+ +
+  # send all requests ending in .jsp to worker1
+  JkMount /*.jsp worker1
+  # send all requests ending /servlet to worker1
+  JkMount /*/servlet/ worker1
+  # send all requests jsp requests to files located in /otherworker will go worker2
+  JkMount /otherworker/*.jsp worker2
+
+ +

+You can use the JkMount directive at the top level or inside <VirtualHost> +sections of your httpd.conf file. +

+

JkUnMount directive acts as an opposite to JkMount and blocks access +to a particular URL. The purpose is to be able to filter out the particular content +types from mounted context. The following example mounts /servlet/* +context, but all .gif files that belongs to that context are not served. +

+
+  # send all requests ending with /servlet to worker1
+  JkMount /servlet/* worker1
+  # do not send requests ending with .gif to worker1
+  JkUnMount /servlet/*.gif worker1
+
+

+JkUnMount takes precedence over JkMount directives, meaning that the JK +will first try to mount and then checks, if there is an exclusion defined by a +JkUnMount. A JkUnMount overrides a JkMount only, if the worker names in the +JkMount and in the JkUnMount are the same. +

+

+The following example will block all .gif files although there is a JkMount for them: +

+
+  # do not send requests ending with .gif to worker1
+  JkUnMount /*.gif worker1
+  # The .gif files will not be mounted cause JkUnMount takes
+  # precedence over JkMount directive
+  JkMount /servlet/*.gif worker1
+
+

+Starting with version 1.2.26 of JK you can apply a JkUnMount to any worker, +by using the star character '*' as the worker name in the JkUnMount. +More complex patterns in JkUnMount worker names are not allowed. +

+
+  # Mapping the webapps myapp1 and myapp2:
+  /myapp1/*=worker1
+  /myapp2/*=worker2
+  # Exclude the all subdirectories static for all workers:
+  !/*/static/*=*
+  # Exclude some suffixes for all workers:
+  !*.html=*
+
+

+JkAutoAlias directive automatically Alias webapp context directories into +the Apache document space. It enables Apache to serve a static context while Tomcat +serving dynamic context. This directive is used for convenience so that you don't +have to put an apache Alias directive for each application directory inside Tomcat's +webapp directory. For security reasons is is strongly recommended that JkMount +is used to pass all requests to Tomcat by default and JkUnMount is used to +explicitly exclude static content to be served by httpd. It should also be noted +that content served by httpd will bypass any security constraints defined in the +application's web.xml. +

+
+  # enter the full path to the tomcat webapps directory
+  JkAutoAlias /opt/tomtact/webapps
+
+

The following example shows how to serve a dynamic context by +Tomcat and static using Apache. The webapps directory has to +be accessible by apache.

+ +
+  # enter the full path to the tomcat webapps directory
+  JkAutoAlias /opt/tomtact/webapps
+
+  # Mount 'servlets-examples' directory. It's physical location
+  # is assumed to be in the /opt/tomtact/webapps/servlets-examples
+  # ajp13w is a worker defined in the workers.properties
+  JkMount /servlets-examples/* ajp13w
+
+  # Unmount desired static content from servlets-examples webapp.
+  # This content will be served by the httpd directly.
+  JkUnMount /servlets-examples/*.gif ajp13w
+  JkUnMount /servlets-examples/*.jpg ajp13w
+
+

Note that you can have a single JkAutoAlias directive per virtual +host inside your httpd.conf +

+

+JkWorkerProperty is a new directive available from JK 1.2.7 +version. It is a convenient method for setting directives that are +usually set inside workers.propeties file. The parameter for +that directive is raw line from workers.properties file. +

+
+  # Just like workers.properties but exact line is prefixed
+  # with JkWorkerProperty
+
+  # Minimal jk configuration
+  JkWorkerProperty worker.list=ajp13w
+  JkWorkerProperty worker.ajp13w.type=ajp13
+  JkWorkerProperty worker.ajp13w.host=localhost
+  JkWorkerProperty worker.ajp13w.port=8009   
+
+

+JkMountFile is a new directive available from JK 1.2.9 +version. It is used for dynamic updates of mount points at runtime. +When the mount file is changed, JK will reload it's content. +

+
+  # Load mount points
+
+  JkMountFile conf/uriworkermap.properties
+
+

If the mount point uri starts with an exclamation mark '!' +it defines an exclusion in the same way JkUnMount does. +If the mount point uri starts with minus sign '-' +the mount point will only be disabled. A disabled mount can be reenabled +by deleting the minus sign and waiting for the JkMountFile to reload. +An exclusion can be disabled by prefixing it with a minus sign. +

+
+  # Sample uriworkermap.properties file
+
+  /servlets-examples/*=ajp13w
+  # Do not map .jpeg files
+  !/servlets-examples/*.jpeg=ajp13w
+  # Make jsp examples initially disabled  
+  -/jsp-examples/*=ajp13w
+
+

At run time you can change the content of this file. For example +removing minus signs will enable the previously disabled uri mappings. +You can add any number of new entries at runtime that reflects the newly deployed +applications. Apache will reload the file and update the mount +points within 60 second interval. +

+

+There is no way to delete entries by dynamic reloading, but you can disable or +exclude mappings. +
+
+

+ +
+ +
Using SetHandler and Environment Variables
+

+Alternatively to the mod_jk specific directives, you can also use +SetHandler and environment variables to control, which requests +are being forwarded via which worker. This gives you more flexibility, +but the results might be more difficult to understand. If you mix both +ways of defining the forwards, in general to mod_jk directives will win. +

+

+SetHandler jakarta-servlet forces requests to be handled by mod_jk. +If you neither specify any workers via JkMount and the related directives, +not via the environment variable described below, +the first worker in the list of all worker will be chosen. You can use SetHandler +for example in Location blocks or with Apache 2.2 also in RewriteRule. +

+

+In order to control the worker using SetEnvIf or RewriteRule +for more complex rules, you can set the environment variable JK_WORKER_NAME +to the name of your chosen target worker. This enables you to decide on +the chosen worker in a more flexible way, including dependencies on cookie values. +This feature has been added in version 1.2.19 of mod_jk. +

+

+In order to use another variable than JK_WORKER_NAME, you can set the name +of this variable via the JkWorkerIndicator directive. +

+

+You can also define exclusions from mod_jk forwards by setting the environment +variable no-jk. +

+
+  # Automatically map all encoded urls
+  <Location *;jsessionid=>
+    SetHandler jakarta-servlet
+    SetEnv JK_WORKER_NAME my_worker
+  </Location>
+
+  # Map all subdirs to workers via naming rule
+  # and exclude static content.
+  <Location /apps/>
+    SetHandler jakarta-servlet
+    SetEnvIf REQUEST_URI ^/apps/([^/]*)/ JK_WORKER_NAME=$1
+    SetEnvIf REQUEST_URI ^/apps/([^/]*)/static no-jk
+  </Location>
+
+

+Finally, starting with version 1.2.27 you can use the environment variable +JK_REPLY_TIMEOUT to dynamically set a reply timeout. +

+
+
+ Copyright © 1999-2011, Apache Software Foundation +
\ No newline at end of file -- cgit 1.2.3-korg